Bug#58022 ... like ... escape export_set ( ... ) crashes when export_set returns warnings

ESCAPE argument might be empty string. It leads to server crash under some circumstances. The fix: -added check if ESCAPE argument result is not empty string mysql-test/r/ctype_latin1.result: test case mysql-test/t/ctype_latin1.test: test case sql/item_cmpfunc.cc: -added check if ESCAPE argument result is not empty string

Bug#58022 ... like ... escape export_set ( ... ) crashes when export_set returns warnings
ESCAPE argument might be empty string. It leads to server crash under some circumstances. The fix: -added check if ESCAPE argument result is not empty string mysql-test/r/ctype_latin1.result: test case mysql-test/t/ctype_latin1.test: test case sql/item_cmpfunc.cc: -added check if ESCAPE argument result is not empty string
1c94d43b · Sergey Glukhov · 21bc09c2 · 1c94d43b · 1c94d43b · 1c94d43b
Commit 1c94d43b authored Nov 18, 2010 by Sergey Glukhov
Showing with 19 additions and 5 deletions

mysql-test/r/ctype_latin1.result mysql-test/r/ctype_latin1.result +8 -0

mysql-test/t/ctype_latin1.test mysql-test/t/ctype_latin1.test +5 -0

sql/item_cmpfunc.cc sql/item_cmpfunc.cc +6 -5

No files found.
--- a/mysql-test/r/ctype_latin1.result
+++ b/mysql-test/r/ctype_latin1.result
@@ -409,3 +409,11 @@ select hex(cast(_ascii 0x7f as char(1) character set latin1));
 hex(cast(_ascii 0x7f as char(1) character set latin1))
 7F
 End of 5.0 tests
+#
+# Bug#58022 ... like ... escape export_set ( ... ) crashes when export_set returns warnings
+#
+SELECT '' LIKE '' ESCAPE EXPORT_SET(1, 1, 1, 1, '');
+'' LIKE '' ESCAPE EXPORT_SET(1, 1, 1, 1, '')
+1
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: ''
--- a/mysql-test/t/ctype_latin1.test
+++ b/mysql-test/t/ctype_latin1.test
@@ -127,3 +127,8 @@ DROP TABLE `abc
 select hex(cast(_ascii 0x7f as char(1) character set latin1));
 --echo End of 5.0 tests
+--echo #
+--echo # Bug#58022 ... like ... escape export_set ( ... ) crashes when export_set returns warnings
+--echo #
+SELECT '' LIKE '' ESCAPE EXPORT_SET(1, 1, 1, 1, '');
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -4692,6 +4692,7 @@ bool Item_func_like::fix_fields(THD *thd, Item **ref)
    String *escape_str= escape_item->val_str(&cmp.value1);
    if (escape_str)
    {
+      const char *escape_str_ptr= escape_str->ptr();
      if (escape_used_in_parsing && (
             (((thd->variables.sql_mode & MODE_NO_BACKSLASH_ESCAPES) &&
                escape_str->numchars() != 1) ||
@@ -4706,9 +4707,9 @@ bool Item_func_like::fix_fields(THD *thd, Item **ref)
        CHARSET_INFO *cs= escape_str->charset();
        my_wc_t wc;
        int rc= cs->cset->mb_wc(cs, &wc,
-                                (const uchar*) escape_str->ptr(),
+                                (const uchar*) escape_str_ptr,
-                                (const uchar*) escape_str->ptr() +
+                                (const uchar*) escape_str_ptr +
-                                               escape_str->length());
+                                escape_str->length());
        escape= (int) (rc > 0 ? wc : '\\');
      }
      else
@@ -4725,13 +4726,13 @@ bool Item_func_like::fix_fields(THD *thd, Item **ref)
        {
          char ch;
          uint errors;
-          uint32 cnvlen= copy_and_convert(&ch, 1, cs, escape_str->ptr(),
+          uint32 cnvlen= copy_and_convert(&ch, 1, cs, escape_str_ptr,
                                          escape_str->length(),
                                          escape_str->charset(), &errors);
          escape= cnvlen ? ch : '\\';
        }
        else
-          escape= *(escape_str->ptr());
+          escape= escape_str_ptr ? *escape_str_ptr : '\\';
      }
    }
    else